Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Sye-Loong Keoh, Ken Wai-Kin Au
School of Computing Science
University of Glasgow
Zhaohui Tang
School of Infocomm
Republic Polytechnic, Singapore
Securing Industrial Control Systems An E2E Integrity Verification Approach
1
• Industrial Control Systems (ICS) are used to monitor and
control industrial facilities and processes:
– Power Grid: generation, distribution, load balancing and billing
– Chemical and Nuclear Plant: control of safety critical processes.
– Gas and Water Facilities: collect measurements from
PLC/sensors and issue commands to actuators.
Introduction
2
Data Aggregation
• Master ensures data exchange with the slaves (field
controller) by means of cyclic polling.
• Data collected at the field controller can be aggregated.
3
An Example ICS Architecture
[Siemens]
4
Integrity of Sensor Data
fd1 fd2 fd3 fd4 fd5 fd6
field devices
field controllers
ms1 ms2 ms3 ms4 ms5 ms6
…
…
{ms1 , ms2 , ms3} {ms4 , ms5 , ms6}
Central controller Vulnerabilities
fraud
selectively reporting
single point of failure
(m’s1, m’s2, m’s3)
• Data Integrity – the measurements on the field devices must
reflect the current state of the instruments in the plant.
modification and tampering.
• Data Origin Authentication – important to ensure that
measurements are taken using the designated field devices.
spoofing
• Secure Data Aggregation – though data are aggregated to
save bandwidth, the central controller (Back End Master) must have
the ability to check the integrity and data origin.
integrity data origin
5
Security Requirements
• Chameleon Hashing
– Hash function with a trapdoor for finding collusion.
– Associated with a pair of public-private key.
– Private-key serves as the trapdoor.
• Properties
– Chameleon Hash Value [CHV] = CHA_HASH(y, m, r).
– given trapdoor x, find a collision [m’, r’] where m’ ≠ m and r’ ≠ r.
– Hence [CHV] = CHA_HASH(y, m’, r’).
• Chameleon Signature
– Apply traditional signature, e.g., DSA, RSA, ECC to Chameleon
Hash.
Background: Chameleon Hashing
6
System Setup
Trapdoor Hash Key
(x)
Trapdoor Chameleon
Hash Function
Chameleon
Hash Function
Chameleon
Hash Function
Chameleon Hash Key
(y)
Chameleon Hash Key
(y)
Secure Channel Secure Channel
Device ID
(Idfd)
Field Devices Field Controllers Back-end
7
Key Generation
• Krawczyk and Rabin’s discrete logarithm construction
– Two primes p and q are randomly generated such that p = kq+1
where q is a large prime factor.
• An element g of order q in p* is chosen so that the
private key, x p*. The public-key, y is generated as
y = gx mod p
8
Chameleon Hash Key
Generation of Chameleon Hash
• Given a message m p*, choose a random value
r p*, the Chameleon Hash denoted as CHV can be
computed as:
CHA_Hash(m,r) = gm yr mod p
• Only the field devices have the ability to produce the same
Chameleon Hash using a different message, m’ such that
CHA_Hash(m,r) = CHA_HASH(m’,r’) by solving r’
m + xr = m’ + xr’ mod p
9
Chameleon Hashing
Protocol Overview
fd1
fd2
fd3
Phase 1:
divide the time into intervals
m21 {m11, m21, m31} Verification
Store
Readings
Process
Control
aggregated data integrity 10
Field Devices Field Controller Back-end
Protocol Overview
fd1
fd2
fd3
Phase 2:
After t sessions in each interval Process
Control
{m11, m12,…, m1t}
{m21, m22,…, m2t}
{m31, m32,…, m3t}
Verification
Verification
Verification
end-to-end data authentication & integrity 11
Field Devices Back-end
fd1 fd2 fd3 CHV
Secure End-to-End
Data Aggregation
fd1
fd2
fd3
m2,1
AggData1 = {m1,1, m2,1, m3,1,… }
CHV1 = CHA_HASH(AggData1, r1)
SEC_MSGfc,1 = SIGN(Privfc, CHV1)
SEC_MSGfc,1, AggData1
ACK: r1
Verify
Signature
m1,1 m2,1 m3,1 CHV1
Phase 1: interval 1:Session 1 12
Field Devices Field Controller Back-end
Secure End-to-End
Data Aggregation
fd1
fd2
fd3
m2,2
AggData2 = {m1,2, m2,2, m3,2,… }
CHV2 = CHA_HASH(AggData2, r2)
SEC_MSGcc,2 = SIGN(Privcc, CHV2)
SEC_MSGfc,2, AggData2
ACK: r2
Verify
Signature
fd1 fd2 fd3 CHV
m1,2 m2,2 m3,2 CHV2
m1,1 m2,1 m3,1 CHV1
Phase 1: interval 1: Session 2 13
Field Devices Field Controller Back-end
14
Phase 1: Protocol Summary
Transmission of Evidence
• Time is divided into intervals, where each interval consists
of t sessions.
• At the end of each interval, field devices choose an rv
where 1 ≤ v ≤ t , so that
CHA_HASH(m’i, r’i) = CHA_HASH(AggDatav, rv)
• m’ denotes all the readings recorded by the field device i
in the interval {Idfd,i, mi,1, mi,2, …, mi,t}
15
Phase 2: E2E Integrity Verification
Transmission of Evidence
• To verify this, we need to solve r’i
r’i mod p = (AggDatav + xrv – m’)x-1 mod p
• However, field devices do not know AggDatav (sent by the
field controller). Instead they can compute a commitment
that allows the back-end to verify integrity and
authenticity.
y-x mod p yxrv(-x)
, ym’(-x)
16
mod p
Delayed-Integrity-Verification
Field Devices Back-end
fd1
fd2
fd3
fd1,commitment Verify
Hash
fd1 fd2 fd3 CHV
m1,2 m2,2 m3,2 CHV2
m1,1 m2,1 m3,1 CHV1
r1 r2 r3 …
m1,3 m2,3 m3,3 CHV3
Any e.g., using r1
IDfd,1
CHV1
√
Delayed-Integrity-Verification
Phase 2 17
m’ = {IDfd,i, m1,1, m1,2 , m1,3, …}
Find a collision (m’, r’)
m’ = {IDfd,1, m1,1, m1,2 , m1,3…}
commitment:
y-x mod p
yxr1(-x)
ym’(-x) mod p
Integrity Verification
• We need to solve this:
r’i mod p = (AggDatav + xrv – m’)x-1 mod p
• But, essentially we want to compute CHA_HASH(m’,r’),
so we need yr’i mod p, which is
y(-x)AggDatav x
18
yxrv(-x)
ym’(-x) mod p
commitment
fd1 fd2 fd3 CHV
m1,2 m2,2 m3,2 CHV2
m1,1 m2,1 m3,1 CHV1
m1,3 m2,3 m3,3 CHV3
IDfd,1
Delayed-Integrity-Verification
• Prototype was implemented using Java, and deployed on
Raspberry Pi Model B+
– CPU: 700 MHz Low Power ARM processor
– Memory: 512 MB
• Preliminary performance results
19
Prototype Implementation
Device Operation Time (ms)
Controller Chameleon Hashing 0.955955 (PC)
Field Device Generation of
Commitment
111.6 (Pi)
Back End Integrity Verification 2.288591 (PC)
Field Device Signature generation 5830 (Pi)
• Our scheme provides:
– Data Integrity
– Data Origin Authentication
– Secure Data Aggregation
• Novel use of Chameleon Hashing and Signature other
than its traditional usage, to detect misbehaviour of
controllers or aggregators in ICS/SCADA.
• Future work:
– Implement the protocol on real hardware or ICS platform.
– Protocol can be generalized to be used in AMI, body sensor
network, or any network with a hierarchical structure.
Conclusions
20
Thank You
Sye-Loong Keoh
School of Computing Science
University of Glasgow
21